Network attached device with dedicated firewall security

ABSTRACT

Dedicated firewall security for a network attached device (NAD) is provided by a firewall management system integrated directly into the NAD or into a NAD server. A local area network arrangement includes a network client and the NAD and the firewall management system includes computer readable medium having computer-executable instructions that perform the steps of receiving a request for network access to the NAD from the network client, determining whether the request for network access to the NAD is authorized, and only if the request for network access is authorized, providing the network client with network access to the NAD.

I. CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.12/773,716, filed on May 4, 2010, now U.S. Pat. No. 8,306,994, issued onNov. 6, 2012, which is a continuation of U.S. patent application Ser.No. 09/951,877, filed on Sep. 11, 2001, now U.S. Pat. No. 7,739,302,issued on Jun. 15, 2010, which is a continuation of U.S. patentapplication Ser. No. 09/144,954 filed on Sep. 1, 1998, to StacyKenworthy (entitled “Internal Network Node with Dedicated Firewall”),now U.S. Pat. No. 6,317,837, issued on Nov. 13, 2001.

II. FIELD OF THE PRESENT INVENTION

The present invention relates generally to dedicated security for anetwork attached device in a computer network environment. Inparticular, the present invention relates to a management system forproviding access to and security for data on network attached devices.

III. BACKGROUND OF THE PRESENT INVENTION

A network attached device (NAD) may be any type of hardware unit that isconnected to a computer network. Exemplary NADs include, but are notlimited to: CD-ROM drives, DVD drives, optical drives, tape drives, harddisk drives, ZIP drives, JAZ drives, routers, printers, facsimilemachines, audio devices, and video devices. NADs are generally connectedto a local area network (LAN) via a NAD server. A NAD server providesthe users of the LAN with access to the resources of the network.

A NAD server generally refers to a node (computer) on the LAN thatpermits other nodes on the LAN to access one or more NADs. A NAD serverprocesses NAD-access requests and provides the appropriate access to aNAD. The NAD server may send incoming data from the requesting node tothe NAD, or may retrieve data from the NAD and send the retrieved databack to the requesting node. NAD servers are generally dedicatedservers, meaning that their sole purpose is to provide access to NADs.NAD servers often support multiple network protocols, which allow themto accept NAD-access requests from various nodes in a heterogeneousnetwork environment.

Most LANs are, or should be, protected by a bastion firewall. Bastionfirewalls restrict access between an internal network, such as a LAN,and an external network, such as the Internet. Bastion firewalls areconsidered to be uni-directional, i.e., protecting the internal networkfrom unauthorised traffic in-coming from the external network. Bastionfirewalls are designed to run as few applications as possible in orderto reduce the number of potential security risks. As such, bastionfirewalls do not perform data management tasks.

Bastion firewalls are typically the only layer of security for NADsattached to a LAN. NAD servers are not equipped with a second layer ofsecurity because it is generally accepted that such a second layer ofsecurity is redundant with the bastion firewall. Therefore, once abastion firewall is penetrated, whether by an authorized or unauthorizeduser, the user typically gains unrestricted access to all resources ofthe LAN, including any NADs. However, the level of security provided bya bastion firewall may not always supply adequate protection for theNADs of a LAN. For example, it may be desirable to establish varyinglevels of security clearance, such that only certain authorized users ofthe LAN are permitted to access a particular NAD server. Also, if a NADserver provides access to valuable or sensitive data stored on a NAD, itmay be desirable to implement extra security measures to prevent anunauthorized user of the LAN, who happens to penetrate the bastionfirewall, from gaining access to the NADs.

According, there remains a need for a NAD server having an integratedfirewall, which provides an additional layer of security for a NADbeyond that provided by a bastion firewall.

IV. SUMMARY OF THE PRESENT INVENTION

The present invention fulfills the need in the art by providing anetwork attached device server having integrated firewall security. TheNAD server is provided for implementing a network attached device andfirewall management system (NADFW-MS). The NADFW-MS comprises a firewallcomponent for determining whether requests for NAD-access are authorizedand a data management component for accepting an authorized request fromthe firewall component and providing the requested access to the NAD.NAD-access requests are sent to the NAD server by a network node, suchas a network client. The NAD-access requests are contained in datapackets having headers. The firewall component accepts the data packetsand determines whether the data packets are authorized based oninformation included in the data packet headers.

The firewall component implements a series of tests to determine whethera data packet is valid. For example, the firewall component maydetermine that a data packet is authorised by: determining that theinformation in the data packet header is complete; determining that theinformation in the data packet header indicates that the data packetarrived at the NAD server via an authorized network interface;determining that the data packet header contains a valid source address;determining that the data packet header contains a valid destinationaddress; and determining that the data packet header contains properinformation to access a proper port of the NAD server. If a data packetfails any one of the firewall component's filtering tests, the datapacket is discarded. Whenever a data packet is discarded, the reason fordiscarding the data packet may be recorded in a log file for futurereference.

An authorized data packet is passed from the firewall component to thedata management component. The data management component comprises oneor more network protocol programs that are compatible with authoriseddata packets sent by various heterogeneous network nodes. The datamanagement component also comprises one or more interface mechanisms,such as ODE, SCSO, EODE, Fiber Channel, etc., that allow the NADFW-MS tocommunicate with various types of associated NADs. The data managementcomponent provides access to an appropriate NAD by using a networkprotocol program to communicate a NAD-access request to an interfacemechanism, which in turn communicates with the NAD. Alternatively, thedata management component may provide access to the appropriate NAD byacting as a prosy server. In the capacity of a prosy server, the datamanagement component generates a new data packet, based on theNAD-access request, and sends the new data packets to a second NADserver.

V. BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional block diagram of the general architecture of anexemplary embodiment of the present invention;

FIG. 2 is a functional block diagram of an exemplary network attacheddevice (NAD) server that provides an operating environment for theexemplary embodiments of a network attached device and firewallmanagement system (NADFW-MS) of the present invention;

FIG. 3 is a functional block diagram of an internal communication schemeused by an exemplary NAD server to provide access to a NAD;

FIG. 4 is a functional block diagram of a communications subsystem foran exemplary NAD server;

FIG. 5 is a logical flow chart of the general process by which anexemplary NADFW-MS provides security for and access to a NAD;

FIG. 6 is a flowchart of an exemplary method of data packet filteringperformed by an exemplary NADFW-MS;

FIG. 7 is a functional block diagram of the general architecture of analternative, exemplary embodiment of the present invention; and

FIG. 8 is a functional block diagram of the general architecture ofanother alternative, exemplary embodiment of the present invention.

VI. DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

The present invention fulfills the need in the art by providing animproved NAD server having integrated firewall functionality. Theimproved NAD server implements a network attached device and firewallmanagement system (NADFW-MS). The NADFW MS may be thought of as havingtwo components: a firewall component for providing a second layer ofnetwork security to maintain the integrity of an associated NAD; and adata management component for providing access to one or more associatedNADs. The firewall component, in effect, wraps a dedicated firewallaround only an associated NAD. The data management component acceptsauthorized data packets from the firewall component and processesNAD-access requests contained therein.

The description of the exemplary embodiments of the present inventionwill hereinafter refer to the drawings, in which like numerals indicatelike elements throughout the several figures. Beginning with FIG. 1, anexemplary NAD server 110 for implementing a NADFWMS 111 is shown asbeing connected to a LAN 112. As mentioned, the NADFW-MS 111 providessecurity for and access to various NADs 116 that are attached to the LAN112 via the NADFW-MS 111. The exemplary NADs shown are a CD-ROM tower116A, a printer 116B and video codec 116C. Those skilled in the art willrecognize that a NAD may be any type of hardware device that is attachedto a computer network. As can be seen, the NADFW-MS 111 wraps adedicated firewall 117A-C around each of the associated NADs 116A-C,respectively.

Also connected to the LAN 112 are several network clients 114A-C. TheLAN 112 may further include other types of network nodes, such as othercommonly known servers or workstations (not shown). For the sake ofsimplicity, other network nodes are not shown because network clients114 and the NAD server 110 are the nodes that are most relevant to thepresent embodiment. Network clients 114 send data packets, containingNAD-access requests, to the NAD server 110. The NADFW-MS 111 filters thein-coming data packets according to information contained in the headerof the data packets. Those data packets that are not rejected by thefiltering procedure are processed by the NADFW-MS 111 and theappropriate NAD-access is provided to the requesting network client 114.As illustrated in FIG. 1, the NADFW-MS 111 provides direct access toeach NAD 116; however, the NADFW-MS 111 may alternatively act as a prosyserver for another NAD server (see FIG. 7 and associated discussionherein). In the capacity of a proxy server, the NADFW-MS 111 maygenerate a new data packet, based on information in the original datapacket, and forward the new data packet to another NAD server, such as aCD-ROM server, a mail server, or any other dedicated server typicallyconnected to a computer network.

As shown, the LAN 112 is separated from an external network 122 by abastion firewall server 120. The bastion firewall Server 120 creates auni-directional firewall 121 that guards the LAN 112 againstunauthorized data packets coming in from the external network 122. Thebastion firewall server 120, in effect, wraps a bastion firewall 121around the entire LAN 112. Clients from the external network 122 mustpenetrate the bastion firewall 121 in order to gain access to the LAN112. Then, in order to gain access to the NADs 116 attached to the LAN112, clients from the external network 122 must penetrate the secondlayer of security provided by the NADFW-MS 111 of the NAD server 110. Asshown, the external network 122 may be any remote network, such as theInternet, end may comprise other LANs 124A-B or wide area networks(WANs) 126.

FIG. 2 describes a NAD server 110, which serves as an exemplaryoperating environment for the present invention. The primary purpose ofthe NAD serves 110 is to implement a NADFW-MS program module 111 thatcomprises computer-implemented instructions for providing access to andsecurity for data stored on a NAD 116. The exemplary NAD sever 110 maybe a conventional computer system that is configured to operate as adedicated network server. The NAD server 110 includes a processing unit221, a system memory 222, and a system bus 223 that couples the systemmemory 222 to the processing unit 221. The system memory 222 includesread only memory (ROM) 224 and random access memory (RAM) 225. A basicinput/output system (BIOS) 228, containing the basic routines that helpto transfer information between elements within the NAD server 110, suchas during start-up, is stored in ROM 224.

The NAD server 110 further includes a data storage mechanism such as aStorage ROM. The NAD server 110 may optionally include a hard disk drive227 or a magnetic disk drive 228, e.g., to read from or write to aremovable disk 229, and/or an optical disk drive 230, e.g., for readinga CD-ROM disk 231 or to read from or write to other optical media. Thehard disk drive 227, magnetic disk drive 228, and optical disk drive 230are connected to the system bus 223 by a hard disk drive interface 232,a magnetic disk drive interface 233, and an optical drive interface 234,respectively. The drives and their associated computer-readable mediaprovide nonvolatile storage for the NAD server 110. Although thedescription of computer-readable media above refers to a hard disk, aremovable magnetic disk, and a CD-ROM disk, it should be appreciated bythose skilled in the art that other types of media that are readable bya computer system, such as magnetic cassettes, flash memory cards,digital video disks, Bernoulli cartridges, and the like, may also beused in the exemplary operating environment. A number of program modulesmay be stored in computer readable media of the NAD server 110,including an operating system 235, the NADFW-MS program module 111 andother program modules 238. The operating system (OS) 235 may comprisesOS network protocol programs 235A to provide communicationscompatibility with other network nodes, such as network client 114. Theoperating system 235 may also comprise OS interface such as an SCSIinterface 235B and SCSI drivers 235C to be used for communicating withNADs 116.

The NAD server 110 operates in a networked computer environment, usinglogical connections to one or more remote computers, such as a networkclient 114. Remote computers may also be another network server, arouter, a peer device, or other common network node. The logicalconnections depicted in FIG. 2 include a local area network (LAN) 112.Such networking environments are commonplace in offices, enterprise-widecomputer networks, and intranets. When used in a LAN networkingenvironment, the NAD server 110 is connected to the LAN 112 through anetwork interface 253. Network connections may also be established via amodem 254. The modem 254, which may be internal or external, isconnected to the system bus 223 via the serial port interface 246. Itwill be appreciated that the network connections shown, are exemplaryand other means of establishing a communications link between thecomputer systems may be used.

Stored in the remote memory storage device 250 of the network client 114may be various program modules, including an application program module236. Application program module 236 may generate requests for access toa NAD 116. The NAD-access requests are transported over the LAN 112 tothe NAD server 110 in the form of data packets. The data packets arescreened by the NADFW-MS program module 111 and, if authorized, theNADFW-MS program module 111 grants the requested access to theappropriate NAD 116.

NAD server 110 may be equipped with a number of input devices, such as akeyboard 240 and a mouse 242. Other input devices (not shown) mayinclude a microphone, joystick, game pad, satellite dish, scanner, orthe like. These and other input devices are often connected to theprocessing unit 221 through a serial port interface 246 that is coupledto the system bus 223, but may be connected by other interfaces, such asa game port or a universal serial bus (USB) (not shown). A monitor 247or other type of display device may also be connected to the system bus223 via an interface, such as a video adapter 248. In addition to themonitor, the exemplary NAD server 110 may include other peripheraloutput devices (not shown), such as speakers. A NAD server may bemanaged remotely by network clients. A remotely managed NAD server isreferred to as a “headless” NAD server. Network clients manage aheadless server in a secure environment by sending and receivingencrypted access and transfer commands to and from the NAD server.

Those skilled in the art will appreciate that the invention may be topracticed with network server configurations other than the one shown,such as: multiprocessor systems, microprocessor-based or programmableconsumer electronics, minicomputers, mainframe computers, and the like.The invention may also be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through the communications network. In a distributedcomputing environment, program modules may be located in both local andremote memory storage devices.

Notwithstanding the broad applicability of the principles of the presentinvention, it should be understood that the configuration of theexemplary NADFW-MS program module 111 for widely-used NAD servers 110provides significant advantages. In particular, the NADFW-MS programmodule 111, comprising computer-implemented instructions for providingaccess to and security for data stored on a NAD 116, is specificallydesigned to exhibit acceptable memory-use and performancecharacteristics when implemented on the conventional NAD server 110. Inso configuring the NADFW-MS program module 111, certain compromises,particularly between the often conflicting goals of minimizing memorystorage and increasing performance speed, have necessarily been made. Itshould be understood that variations of the compromises made in theexemplary embodiments described in this specification are within thespirit and scope of the present invention, particularly in view of thefact that inevitable improvements in computer hardware and memorystorage devices will make other compromises feasible.

FIG. 3 illustrates the internal communications scheme used by theexemplary NAD server 110 for the purpose of accessing a NAD 116. TheNADFW-MS 111 provides security for the NADs 116 by serving as afiltering firewall and/or a proxy firewall. Data packets that passthrough the firewall of the NADFW-MS 111 are processed by the operatingsystem (OS) 235 of the NAD server 110. The OS 235 includes networkprotocol programs 235A that provide a link between a network client 114and the NADs 116. OS network protocol programs 235A must be compatiblewith the network protocol program of the network client 114 that isrequesting NAD-access. The exemplary NAD server 110 includes multiple OSnetwork protocol programs 235A, so as to provide NAD-access to multipletypes of network clients 114 in a heterogeneous network environment. LAN112, as shown in FIG. 1, is an example of a heterogeneous networkenvironment that comprises a “Mac” network client 114A, running the“Macintosh” operating system, a “PC” network client 114B, running “DOS,”and a “UNIX” network client 114C, running the “UNIX” operating system.For example, the “Mac” network client 114A would likely utilize the“Appletalk” network protocol, while the “PC” network client 114B wouldlikely utilize Novell's “Netware” protocol and the “UNIX” network client114C would likely utilize the TCP/IP standard. The inclusion of multipleOS network protocol programs 235A in the exemplary NAD server 110,allows the NAD server 110 to provide discriminatory NAD-access toheterogeneous network clients 114A-C based on the IP addressee of thenetwork clients 114A-C or other information contained in the header of adata packet. The OS 235 uses the OS network protocol programs 235A tocommunicate with the OS Small Computer System Interface (SCSI)mechanisms, which in turn communicate with the NADs 116. The SCSImechanisms shown are the SCSI interfaces 235B and the OS SCSI drivers235C.

FIG. 4 demonstrates an exemplary communications subsystem for the NADserver 110. The exemplary communications subsystem is modeled on theInternational Standards Organization's Reference Model for Open SystemsInterconnection (ISO OSI). As such, the communications subsystem of theNAD server 110 may comprise a number of protocol layers, each of whichperforms one or more well-defined functions. Protocol layers of the NADserver 110 communicate with the corresponding peer layers in thecommunications subsystem of the network client 114. The communicationssubsystem of the NAD server 116 comprises a NADFW-MS layer comprisingthe NADFW-MS 111. As shown, the NADFW-MS comprises two components: afirewall component 111A and a data management component 111B. Thefirewall component 111A is responsible for providing security for theassociated NADs 116, while the data management component 111B isresponsible for interfacing with the NADs 116 to provide the requestedNAD-access. The peer layer to the NADFW-MS 111 is the application layer402 of the network client 114. The application layer 402 is responsiblefor generating a NAD-access request.

The operation and purpose of the remaining protocol layers are wellknown in the art. Briefly, however, the presentation layer 404 isconcerned with the representation (syntax) of data during transferbetween the NADFW-MS 111 and application layer 402. The session layer406 allows the NADFW-MS layer 111 and application layer 402 to organizeand synchronize their dialog and manage their data exchange. The sessionlayer 406 is thus responsible for setting up a dialog channel betweenthe NADFW-MS 111 and application layer 402 for the duration of a networktransaction. The transport layer 410 acts as the interface between thehigher layers and the underlying network-dependent protocol layers. Thetransport layer 410 provides the session layer 406 with a messagetransfer facility that is independent of the underlying network type.The remaining layers (the network layer 412, the link layer 414, and thephysical layer 416) are network dependent layers. The network layer 412is responsible for establishing a network-wide connection between twotransport layer protocols. The link layer 414 builds on the physicalnetwork connection provided by the particular network to provide thenetwork layer 412 with a reliable information transfer facility. Lastly,the physical layer 416 is concerned with the physical and electricalinterfaces between the network client 114 and the NAD server 110.

FIG. 5 provides a flow chart of the general process by which theexemplary NAD server 110 running the exemplary NADFW-MS 111 providessecurity for and access to an associated NAD 116. The process isinitiated at step 505 and proceeds to step 510, during which anapplication program module at a network client 114 generates a datapacket containing a NAD-access request. The data packet includes aheader that contains information identifying the source and destinationof the data packet, as well as other information. Next, at step 512, thedata packet is transported over the LAN 112 and at step 514 the datapacket is received by the NAD server 110. Once received at the NADserver 110, the data packet is screened by the firewall component 111Aof the NADFW-MS 111 at step 516. Screening of the data packet by thefirewall 111A may involve several types of filtering tests, which aredescribed in greater detail below with reference to FIG. 6. Only anauthorized data packet will pass through the firewall component 111A ofthe NADFW-MS 111. Thus, at step 520, if the data packet is determined tobe unauthorized, the process proceeds to step 522, in which theunauthorized data packet is discarded. After a data packet is discarded,the process is terminated at step 526. If, at step 520, the data packetis determined to be authorized, the data packet is forwarded to the datamanagement component 111B of the NADFW-MS 111 at step 524, in which therequested NAD-access is provided.

The data management component 111B may act as a traditional NAD serverby providing direct access to a NAD 116 (as shown in FIG. 1), or may actas a “proxy” NAD server 110A for another NAD server 110B (as shown inFIG. 7). Still referring to FIG. 7, as a proxy NAD server 110A, the datamanagement component 111B generates a new packet to communicate theNAD-access request to the other NAD server 110B. In this fashion, evenif a data packet passes the firewall component 111A, the data packetdoes not reach its destination, i.e., the other NAD server 110B. Rather,the data management component 111B establishes a link to the otherserver 110B and generates a new data packet. Such an additional linkprovided by a proxy server 110A is often used for network security as afurther layer of separation between network clients 114 and NAD servers.After the requested NAD-access is provided for an authorized datapacket, the process is terminated at step 526.

The flowchart of FIG. 6 describes the steps involved in an exemplarymethod of data packet filtering performed by the firewall component 111Aof the NADFW-MS 111. The firewall component 111A provides a series offiltering tests that a data packet must endure before being passed on tothe data management component 111B of the NADFW-MS 111. The method isinitiated at step 602 and continues to step 605, during which thefirewall component 111A examines the header of a data packet. Initially,the firewall component 111A determines whether the data packet meetscertain minimum format requirements. For example, a particular networkprotocol may require the header of a data packet to contain certainfields, having certain information and comprising a certain number ofbytes. If the necessary information is not included in the data packet,the data packet is deemed incorrectly configured and is removed fromfurther consideration. Thus, at step 610, if the in-coming data packetheader is determined to be incomplete or fails to meet otherpredetermined specifications, the data packet is immediately discardedat step 612. In the exemplary embodiment, whenever a data packet isdiscarded at step 612, the reason for discarding the data packet iswritten to a log file. The log file may be maintained over time andperiodically analyzed for security purposes. As an illustration, it maybe determined upon examination of the log file that a certain networkclient makes repeated attempts to access a NAD 116 without properauthorization. A network administrator may then perform an appropriateinvestigation. After a data packet is discarded, the method isterminated at step 634.

If the data packet is determined at, step 610 to be complete, the methodproceeds to step 615, where a determination is made as to whether thedata packet arrived via an authorized network interface 253. In thisway, the NADFW-MS 111 is able to screen a data packet based on theparticular network node from which the data packet was sent. Thismechanism provides the NADFW-MS 111 with multi-directional accesscontrol. Data packets coming from certain network connections may beaccepted, while data packets coming from other network connections maybediscarded and logged at step 612. Again, after a data packet isdiscarded, the method is terminated at step 634.

Next, at step 620, a determination is made as to whether the header ofthe data packet contains valid and authorized source and destinationaddress information. If the IP addresses of the data packet's source anddestination are invalid or unauthorized, the packet will be denied anddiscarded at step 612. Again, if a data packet is discarded, the reasonfor discarding the data packet is recorded in the log file at step 612and the method ends at step 634.

If the data packet contains valid IP addresses, a final test in theexemplary data packet filtering method is performed. At step 625, theheader of the data packet is checked to ensure that it includes theproper information to gain access to the proper port of the NADFW-MS111. Since the exemplary NAD server 110 implements a variety of OSnetwork protocol programs 235A, the NADFW-MS 111 can also limitNAD-access based on which port an OS network protocol program 235A uses.Before a network client 114 sends an authorized NAD-access request tothe NAD server 110, the transport layer 410 of the NAD server 110 alertsthe transport layer 410 of the network client 114 as to which port adata packet should be sent and what information should be included inthe data packet header. For example, the NAD server 110 may dictate thatall “Netware” based data packets include certain designated informationand be directed to port “X.” If an in-coming “Netware” based data packetattempts to access any port other than port “X,” or attempts to accessport “X” but does not include the designated information, the datapacket will be discarded and the reason for discarding the data packetwill be logged at step 612. If a data packet is discarded, the methodterminates at step 634. However, if a data packet successfully passesall of the above filtering tests, the data packet is considered to beauthorized and at step 630 is passed to the data management component111B. After step 630, the method is terminated at step 634.

As previously mentioned, FIG. 7 illustrates an alternative embodiment ofthe present invention. FIG. 7 is similar to FIG. 1, however, instead ofhaving a traditional NAD sever 110, which provides direct access to eachNAD 116, LAN 112 includes a “proxy” NAD server 110A and another NADserver 110B. NADs 116 are connected directly to the NAD server 110B,which is isolated from other nodes on the LAN 112 and external to theLAN 112 by means of the “proxy” NAD server 110A. Such an arrangementprovides greater network security because data packets received by the“proxy” server 110A are not forwarded to the NAD server 110B but ratherprocessed by the “proxy” server 110A, which, in turn, generates new datapackets that are then forwarded to the NAD server 110B, as discussedabove.

FIG. 8 illustrates another alternative embodiment of the presentinvention. FIG. 8 is also similar to FIG. 1, however, rather than eachNAD 116 being connected to the LAN 112 through a NAD server 110, eachNAD 116 is a separate node connected directly to the LAN 112. With thisarrangement, each NAD 116A-C has installed therein its own NADFW-MS131A-C, winch wraps a dedicated firewall 127A-C around the operationalcomponents 126A-C, respectively, of the NAD 116A-C in which it isinstalled. Data packets from nodes internal or external to the LAN 112are routed to the appropriate NAD 116 by means of a convention networkrouter, hub, or switch 130. Filtering and processing of the data packetis then handled by the appropriate NADFW-MS 131A-C associated with theparticular NAD 116A-C that receives the data packet.

In view of the foregoing, it will be appreciated that the presentinvention provides a method and system for securely managing a networkattached device (NAD). The present invention provides a NAD with ansecond layer of firewall security, over and above that which may beprovided by a bastion firewall. A bastion firewall may provide a firstlayer of security by screening externally generated NAD-access requests.However, the present invention introduces another firewall that isdedicated exclusively to the protection of a NAD itself or to datastored on the NAD. The firewall of the present invention is wrappedexclusively around a NAD and filters NAD-access requests that aregenerated both internally to a LAN and externally from the LAN based onIP addresses and other information contained in the header of a datapacket. Still, it should be understood that the foregoing relates onlyto the exemplary embodiments of the present invention, and that numerouschanges may be made thereto without departing from, the spirit and scopeof the invention as defined by the following claims.

What is claimed is:
 1. A system comprising: a first computing devicecoupled to an internal network; and a second computing device incommunication with the first computing device, wherein the secondcomputing device has at least one attached device and the secondcomputing device is isolated from the internal network; wherein thefirst computing device comprises a memory having stored thereoninstructions that, in response to execution on the first computingdevice, cause the first computing device to at least: receive datapackets over the internal network, wherein at least some of the datapackets are sent to the internal network from an external network;examine the data packets to determine whether the data packets containan IP address associated with the at least one attached device; filterdata packets containing a valid IP address in a header of the datapacket to determine whether to authorize data packets requesting accessto the at least one attached device; reformulate the data packets forcommunication to the second computing device; and transmit thereformulated packets to the second computing device in response todetermining that the request for access is authorized.
 2. The system ofclaim 1 wherein the instructions that, in response to execution on thefirst computing device, cause the first computing device to reformulatethe data packets comprise instructions that, in response to execution onthe first computing device, cause the first computing device to generatenew packets based on information contained in the data packets receivedover the internal network.
 3. The system of claim 1, further comprisinga firewall coupled between the internal network and the externalnetwork, and wherein the firewall is configured to filter data packetstransmitted over the external network and addressed to the internalnetwork.
 4. The system of claim 1 wherein the second computing devicefurther comprises operating system instructions that, in response toexecution on the second computing device, cause the second computingdevice to process the reformulated data packets for communication withthe at least one attached device over a communications interface.
 5. Thesystem of claim 1 wherein the instructions that, in response toexecution on the first computing device, cause the first computingdevice to filter data packets comprise instructions that, in response toexecution on the first computing device, cause the first computingdevice to determine whether the data packets contain authorized portinformation.
 6. The system of claim 1 wherein the instructions that, inresponse to execution on the first computing device, cause the firstcomputing device to filter data packets comprise instructions that, inresponse to execution on the first computing device, cause the firstcomputing device to determine whether the data packets containauthorized source network card information.
 7. The system of claim 1wherein the instructions that, in response to execution on the firstcomputing device, cause the first computing device to filter datapackets comprise application layer instructions.
 8. Acomputer-implemented method comprising: receiving, by a first computingdevice coupled to an internal network, data packets over the internalnetwork, wherein at least some of the data packets are sent to theinternal network from an external network; examining, by the firstcomputing device, the data packets to determine whether the data packetscontain an IP address associated with an attached device coupled to asecond computing device, wherein the second computing device is incommunication with the first computing device and the second computingdevice is isolated from the internal network; filtering, by the firstcomputing device, data packets by determining whether the IP address ina header of the data packets is valid to determine whether to authorizedata packets containing information indicative of a request for accessto the attached device; and reformulating, by the first computingdevice, the data packets for communication to the second computingdevice coupled to the attached device in response to authorizing thedata packets containing the information indicative of the request foraccess to the attached device.
 9. The method of claim 8, furthercomprising: communicating, by the second computing device, informationcontained in the data packets received by the second computing device tothe attached device over a communications interface between the secondcomputing device and the attached device.
 10. The method of claim 8,further comprising: filtering, by a firewall device coupled between theinternal network and the external network, packets received by thefirewall device over the external network; and transmitting, by thefirewall device, the filtered data packets from the external networkthat are addressed to the internal network.
 11. The method of claim 9,further comprising: processing, by the second computing device, the datapackets for communication with the attached device, wherein theprocessing is performed in part by an operating system of the secondcomputing device.
 12. The method of claim 8, further comprising:filtering, by the first computing device, the data packets to determinewhether the data packets contain authorized port information.
 13. Themethod of claim 8, further comprising: filtering, by the first computingdevice, the data packets to determine whether the data packets containauthorized source network card information.
 14. The method of claim 8wherein the filtering of data packets comprises application layerfiltering.
 15. The method of claim 8, further comprising: logging, bythe first computing device, information regarding data packets that arerejected.
 16. A non-transitory computer-readable storage mediumcomprising computer instructions that, in response to execution by afirst computing device, cause the first computing device to at least:receive data packets over an internal network, the first computingdevice coupled to the internal network, wherein at least some of thedata packets are sent to the internal network from an external network;examine the data packets to determine whether the data packets containan IP address associated with an attached device coupled to a secondcomputing device, wherein the second computing device is incommunication with the first computing device and the second computingdevice is isolated from the internal network; filter data packetscontaining a valid IP address in a header of the data packets todetermine whether to authorize data packets requesting access to theattached device; and generate new data packets, based at least in parton information contained within the data packets, for communication tothe second computing device in response to determining that the requestfor access is authorized, wherein the attached device is coupled to thesecond computing device by way of a communications interface.
 17. Thecomputer-readable storage medium of claim 16 wherein the secondcomputing device is configured to communicate information contained inthe new data packets to the attached device over the communicationsinterface.
 18. The computer-readable storage medium of claim 16 whereina third computing device is located on a firewall device coupled betweenthe internal network and the external network, and wherein the thirdcomputing device is configured to filter packets received by thefirewall device over the external network, and to transmit the filtereddata packets from the external network that are addressed to theinternal network.
 19. The computer-readable storage medium of claim 16wherein the second computing device comprises an operating system thatis configured to communicate the new data packets to the attached deviceover the communications interface.
 20. The computer-readable storagemedium of claim 16, further comprising computer instructions that, inresponse to execution by the first computing device, cause the firstcomputing device to filter the data packets to determine whether thedata packets contain authorized port information.
 21. Thecomputer-readable storage medium of claim 16, further comprisingcomputer instructions that, in response to execution by the firstcomputing device, cause the first computing device to filter the datapackets to determine whether the data packets contain authorized sourcenetwork card information.
 22. The computer-readable storage medium ofclaim 16 wherein the computer instructions that, in response toexecution by the first computing device, cause the first computingdevice to filter data packets comprise computer instructions that, inresponse to execution by the first computing device, cause the firstcomputing device to filter the data packets using application layerfiltering.
 23. The computer-readable storage medium of claim 16, furthercomprising computer instructions that, in response to execution by thefirst computing device, cause the first computing device to loginformation regarding data packets that are rejected.